Access control is fundamental for enforcing security and privacy requirements in data processing systems, protecting system resources such as files, applications, databases, and so on, against unauthorized access by internal or external system users. In electronic commerce, for example, and indeed in the Internet in general, one of the most important considerations is ensuring that only authorized users can access valuable resources.
A recordable data storage medium of an embodiment of the invention stores computer program code executable by a processor. The computer program code includes a first computer program part to determine whether a policy data structure defines an authorization for a request to access a resource. The policy data structure defines predetermined authorizations. Each predetermined authorization relates to authorization of at least one user to access at least one resource. Each predetermined authorization further relates to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. The computer program code includes a second computer program part to, in response to determining that the policy data structure defines an authorization for the request to access the resource, apply the authorization to determine whether to grant the request.
The computer program code includes a third computer program part to, in response to determining that the policy data structure does not define an authorization for the request to access the resource, determine whether the policy data structure defines a dynamic access requirement determinative for the request. The third computer program part is, in response to determining that the policy data structure defines a dynamic access requirement determinative for the request, to determine whether to grant the request in accordance with the respective set of attributes associated with the request. The computer program code includes a fourth computer program part to, for at least one user request, after determining whether to grant the request, add a dynamic authorization relating to authorization to access the resource within the request to the policy data structure.
An apparatus of an embodiment of the invention includes a memory to store an access control policy data structure defining predetermined authorizations. Each predetermined authorization relating to authorization of at least one user to access at least one resource. Each predetermined authorization further relates to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. The apparatus includes control logic to respond to a request to access a resource by determining whether the policy data structure defines an authorization for the request. The control logic, in response to determining that the policy data structure defines an authorization for the request to access the resource, applies the authorization to determine whether to grant the request.
In response to determining that the policy data structure does not define an authorization for the request to access the resource, the control logic determines whether the policy data structure defines a dynamic access requirement determinative for the request. In response to determining that the policy data structure defines a dynamic access requirement determinative for the request, the control logic determines whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one user request, after determining whether to grant the request, the control logic adds a dynamic authorization relating to authorization to access the resource within the request to the policy data structure.
A system of an embodiment of the invention includes resources and an apparatus to control access to the resources. The apparatus includes a memory to store an access control policy data structure defining predetermined authorizations. Each predetermined authorization relates to authorization of at least one user to access at least one resource. Each predetermined authorization further relates to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. The apparatus includes control logic to respond to a request to access a resource by determining whether the policy data structure defines an authorization for the request.
In response to determining that the policy data structure defines an authorization for the request to access the resource, the control logic applies the authorization to determine whether to grant the request. In response to determining that the policy data structure does not define an authorization for the request to access the resource, the control logic determines whether the policy data structure defines a dynamic access requirement determinative for the request. In response to determining that the policy data structure defines a dynamic access requirement determinative for the request, the control logic determines whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one user request, after determining whether to grant the request, the control logic adds a dynamic authorization relating to authorization to access the resource within the request to the policy data structure.